Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow init read all non-security socket files #1577

Merged
merged 1 commit into from Dec 15, 2023
Merged

Allow init read all non-security socket files #1577

merged 1 commit into from Dec 15, 2023

Commits on Jan 27, 2023

  1. Allow init read all non-security socket files 

    Systemd uses the LoadCredential option to pass a credential to the unit.
Credentials here are small objects that may be passed to unit processes,
typically  cryptographic keys or certificates, user account information
or identity information from host to services.
The credential files/IPC sockets must be accessible to the service manager,
but don't have to be directly accessible to the unit's processes: the
credential data is read and copied into separate, read-only copies for
the unit that are accessible to appropriately privileged processes.

Consequently, when LoadCredential is set to point to a socket file,
systemd needs the read permission for the sock_file security class:

LoadCredential=id:/run/wg-credentials.socket

Systemd in its read_full_file_full() function checks exit code of
xfopenat() and in case of -ENXIO connects to the AF_UNIX socket.

The files_read_non_security_sock_files() interface was added.

Addresses the following AVC denial:
type=AVC msg=audit(1672210323.355:1362): avc:  denied  { read } for  pid=4490 comm="(sd-mkdcreds)" name="wg-credentials.socket" dev="tmpfs" ino=1033 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
    @zpytela
    zpytela committed Jan 27, 2023
    Copy the full SHA
    6f9608f View commit details
    Browse the repository at this point in the history